We received a penetration testing result from a customer that our Content Security Policy (CSP) is insecure because we use ‘unsafe-inline’ and ‘unsafe-eval’ without nonces. We have this due to the requirement from Heap https://developers.heap.io/docs/web#content-security-policy-csp, but I’d like to know why? Is there anyway to get Heap to work without these source list values?
I submitted a support ticket for this and received a response. I’m posting it here for those interested.
We're actively investigating ways to make this option more secure, but we're not able to directly provide a nonce-based solution at this time. However, it is possible to implement a hash- or nonce-based solution on your end. The hash-based solution is the more straight-forward option, as it simply requires sending a hash of the Heap install snippet as part of your CSP. This ensures that the Heap snippet specifically can be run without enabling other inline code generally by requiring
unsafe-inline
. (Please note that each environment within your project will require its own hash, as an environment-specific ID is included in each envrionment's Heap install snippet.) Please note that responsibility for implementing and maintaining a nonce or hash solution does fall on your development team.
It's also worth reviewing that at present, there are two main components to our Content Security Policy,unsafe-inline
andunsafe-eval
. Whileunsafe-inline
(or a nonce or hash solution) is currently required for heap.js to capture data,unsafe-eval
can be removed if you don't mind losing access to snapshots and the Event Visualizer. One option this allows for is disablingunsafe-eval
on the production site, but enabling it for a development version of the site that contains no sensitive data. This will allow definition of events on the development site in the Event Visualizer, and since defined events are shared between environments within a project, those events will be available for reporting in the production environment as well.
We’re experiencing the same problem, but we’re not able to develop the solution proposed in this paragraph.
However, it is possible to implement a hash- or nonce-based solution on your end. The hash-based solution is the more straight-forward option, as it simply requires sending a hash of the Heap install snippet as part of your CSP.
Our sites are statically generated and hash could change each time Heap team decides to update their site/Visual labeling feature and nonce could be a solution, but from us is a major refactor of the application. Additionally we’re forbidden to set unsafe-inline, because of security concerns. Any update on this topic?
Reply
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.